3

I want to know why the following query have . and "" in ".$_POST['date']." etc.

$query = "INSERT INTO eventcal ('eventDate','eventTitle','eventContent','user',
'user_id') VALUES('".$_POST['date']."','".addslashes($_POST['eventTitle'])."',
'".addslashes($_POST['eventContent'])."')";

If I change to the following, will it make any differences?

VALUES('$_POST['date']','addslashes($_POST['eventTitle'])',
'addslashes($_POST['eventContent'])')

Thanks in advance.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
shin
  • 31,901
  • 69
  • 184
  • 271
  • The query doesn't have dots, but is part of the string building process. Your question is PHP related, not (directly) MySQL related. And finally, your SQL allows SQL injection, so look for a better alternative like PDO. – Vinko Vrsalovic Jan 19 '10 at 07:16

4 Answers4

2

It is the PHP form of concatenation (The quotes mark the end of the strings). In JavaScript and many other languages it is the + character that concatenates.

echo "hello" . " " . "world!"; // Outputs 'hello world'

Yes, making that change would drastically change its meaning.

Finally, this is open to a severe SQL injection attack because date is not properly escaped.

Always sanitize your input and use parameterized queries where possible.

Doug Neiner
  • 65,509
  • 13
  • 109
  • 118
  • LOL... as if any SQL injection attack is not severe. – Doug Neiner Jan 19 '10 at 07:13
  • How can I sanitize the date? Can you give an example plz? – shin Jan 19 '10 at 07:46
  • You could just use `addslashes($_POST['data'])` like the other variables, but you should probably check this post that has a few ways to do it: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – Doug Neiner Jan 19 '10 at 08:04
1

The "dot" operator is PHP's operator for string concatenation. I think that using the addslashes function is a better idea than what you have in the first example but you will still need to use string concatenation as PHP's string interpolation only supports variables.

Andrew Hare
  • 344,730
  • 71
  • 640
  • 635
1

Single quotes inhibit variable interpolation, and as well the single quotes used in the array index would terminate the string.

Also, use a library that supports query parametrization instead of adding the values in like this.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
0

Yes, only variables are parsed in double quotes which means your functions won't be executed in the second code block.

Rowno
  • 3,325
  • 2
  • 23
  • 14